Veeam has released security updates to deal with 4 flaws in its A person IT monitoring and analytics platform, two of which are rated critical in severity.
The checklist of vulnerabilities is as follows –
- CVE-2023-38547 (CVSS score: 9.9) – An unspecified flaw that can be leveraged by an unauthenticated person to acquire facts about the SQL server link Veeam 1 uses to obtain its configuration databases, ensuing in distant code execution on the SQL server.
- CVE-2023-38548 (CVSS score: 9.8) – A flaw in Veeam Just one that allows an unprivileged consumer with obtain to the Veeam 1 Web Shopper to get hold of the NTLM hash of the account employed by the Veeam One particular Reporting Service.
- CVE-2023-38549 (CVSS score: 4.5) – A cross-internet site scripting (XSS) vulnerability that lets a user with the Veeam 1 Power User part to attain the accessibility token of a user with the Veeam One Administrator role.
- CVE-2023-41723 (CVSS rating: 4.3) – A vulnerability in Veeam One that permits a consumer with the Veeam 1 Go through-Only User job to watch the Dashboard Routine.
Whilst CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 influence Veeam Just one variations 11, 11a, 12, CVE-2023-38548 affects only Veeam One 12. Fixes for the issues are out there in the down below versions –
- Veeam 1 11 (11…1379)
- Veeam A person 11a (11..1.1880)
- Veeam Just one 12 P20230314 (12..1.2591)
In excess of the past number of months, critical flaws in the Veeam backup application have been exploited by multiple risk actors, like FIN7 and BlackCat ransomware, to distribute malware.
People working the afflicted variations are recommended to cease the Veeam One particular Checking and Reporting companies, switch the current documents with the documents supplied in the hotfix, and restart the two products and services.
Uncovered this report interesting? Follow us on Twitter and LinkedIn to read much more special content we article.
Some parts of this article are sourced from:
thehackernews.com